some code is "really secure", translates to "that code does nothing else than what it is supposed to do, ever, in any circumstances".

Which is the same as telling "that code has no known or unknown bug, present or future".

errr... You got my point :)

On the other hand, if you just wish to check that the code doesn't pro-actively spy out it's environment and send out passwords or the like, running it for a while on a virtual machine or in a chrooted environment and setting a Net filter around it to see if there is any suspect network activity is not hard to do.

Also, on the test machine, you could set up a file checksum app (Tripwire, AIDE, integrit, yafic, ...) that might help in making sure that none of the files in the working environment haven't been altered during the tests.

Even so, you'll catch just a tiny fraction of the possible gotchas.

It's like in real life: the better you're looking, the more dangers you'll see.

(Who would ever drink from the "clean" water at which she'd had a look through a good microscope before that...? :) ).